“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Part Deux

The Players:

In my first installment of this series I laid out the framework for what I wanted to do to create a new paradigm in information security. The industry has become a den of charlatanism as well as FUD and it just seems to me that more of us in the business are feeling like Sisyphus. On the other end of the equation we have the balancing factor of companies, and people who comprise them, who are just unaware of the precepts of security and really, don’t seem to care once you introduce them to it. You usually get the litany of reasons why they won’t or can’t change the way things work for securities sake;

It’s too costly

It’s too hard

We can’t change those things because we will have too much down time

This could never happen to us

The end users will be too overtaxed with the changes

There are a myriad of other excuses I have heard over the years, but it just seems in general that you present things to people and they just don’t seem to feel that they are important. Even when you hand them a USB drive of their own data that you have taken from them as a part of an assessment. There will always be elements within the company with impetus to not take your advice on security matters and maybe even give you a large amount of pushback. This is especially true of any company that has little to no security posture to start with.

So who are the key client players?

C-Level Management

Middle Management

The CSO/CISO

End Users

Coders

Lawyers

HR

Above you have the key players that you will always have to navigate your way through to get any security initiatives created or actually implemented at a site. Often times, it is akin to herding cats as the saying goes to get anything accomplished, however, the one true key to it all are the C-Level Executives.

Why?

Because on average, they are not only the ones with the power to make decisions and to implement/mandate things company wide, but also because they are the most dangerous people to the company.

How’s that? You ask…

Well, usually they are not security aware, run ubermegacorporations, and often have the following characteristics;

They hold the keys to the kingdom with undue access and mobile assets

Companies cow tow to their every whim and give them said rights as well as unfettered internet access

Though they may be aware of security risks, they are far too aware of the “bottom line” on the ledger

These traits make the C-Level exec a tasty target for the attacker and often many a phishing email is used to gain a foothold on their machines. This is even more true in the case of corporations that I have worked with in the past who might say, be a target of APT attacks (i.e. Defense Contractors) There is nothing new here for many of you probably reading this if you are in the business, but it always amazes me at the lack of understanding some of these execs have about security and their place in it.

So, out of all of those players listed above, the C-Levels are the key targets for you to make your point to. You have to do it in such a way that you can convince them that what you are telling them is important but without actually making them think that you are the super hacker one of a kind guy who could only do it. Sometimes this is harder than you might think. Just as well, what if you are not performing a pentest and just an audit of their polices and procedures? What then? All you really have to do at present is look at the weak regulations and laws on the books now and you pretty much get the idea. They are gonna do a quick calculation in their head and say “bye”

I have seen it happen.

So what can you do? How can you reach this audience and get them to understand that the sum of the parts can equal utter compromise and that it’s just not all about a firewall and an IDS? That will be covered in a later section on approaches, however, let me impart one example of extreme results from a little leg work.

Example: UBER BANK A

I once did an assessment on a large bank in the US. This assessment was to be one that primarily focused on policies and procedures and security. After performing interviews with the lower ranks I got a chance to talk to the CFO and the CIO of the bank. Both interviews went over like lead balloons. I asked questions on the security values of their processes and got nonchalant dismissive answers back. In essence, they didn’t give a crap.

Given that this was 2002 and we had just been attacked on 9/11, I asked questions about the C-Level’s awareness of potential terrorism (uber bank had global ties) as well as things like did they have a K&R policy for their execs who traveled out of the country. Their answers came back with the same lack of care of forethought.

“Nope.. We have no need of that”

I left the meetings feeling that all of our efforts were for naught. These guys weren’t going to do anything about the things we would be recommending… Unless they got a taste of what “could” happen. So, I went on the offensive and began using the techniques of OSINT on them, their network, and their physical site.

I called it “Added Value” heh… Gotta love the buzz word bingo huh?

In the process of looking around I discovered that their intranet/physical site had a few interesting features/flaws.

It was a flat network

The C-Levels bios and travel calendars were on their website both externally and internally

Their wire room was physically insecure because of an internally facing window

The wire room was not alarmed

A new and CSO unapproved wire transfer system had been put into place with default log/pass

I located the manuals for the new wire transfer system on their intranet and downloaded it

From all of this information I did the following:

I Googled all information from the BIOS of the C-Levels and developed full dossiers on them and their families. I obtained their childrens names, schools, schedules, wives names etc (including sat photos of their homes)

I used their schedules online and created a scenario for the CEO to be kidnapped and ransomed on his upcoming trip out of the country (with maps and timetables)

I developed a proof of concept of how I could not only access the wire room via the unsecured window but also a network access using the flat network and the defaults on the new wire transfer system to transfer the maximum amount of money from their bank to another account. This transfer (20 million) would go un-noticed for at least 3 days per schedule

I had the CSO access the wire transfer system with the default pass/log and set up the transfer.. but did not carry it out.

After we had finished the report on the policies and procedures, I passed along the further documentation of the dossiers and the proof of concept… We left the next day. Soon after, I heard that the C-Levels were outraged at what I had done.

HOW DARE YOU!

This of course was mostly about the Dossiers on their families and the terrorist plans, but, the points had been made. They finally began to comprehend that they were indeed targets as well as they could lose major funds from their coffers because they had failed to protect the systems properly.

Years later (in fact last year) I heard from someone who just happened to go to Uber Bank A on a business trip. During the course of their visit, some of the people began to tell the tale of just how much security had improved in since a certain audit was performed by a scary hacker… Yep.. It was me. I even made an HR lady cry during that assessment… In any event, they learned from the things I did and they took steps to secure themselves better.

I had to scare them into it though and that kind of chance does not happen often… The C’s are usually quite insulated from reality. However, I think this is where the new breed of testing comes to play. This type of testing could be called “Red Teaming” or “Ninja Hacking” as one book puts it, but I would just call it something like; Offensive Auditing An audit that takes stock of the whole environment and shows just how vulnerable a company is from the ground up and offers a way to remediate it all. Had I not performed the extra assessment outside of the policy piece they would not been aware nor cared. You see, their policies were lacking as was their procedures, which they bypassed in the case of the wire transfer application implementation.

This is where I feel that the industry is failing in a big way. There are all kinds of audits and auditors out there but giving a client a pick and choose menu only leads to their own undoing because things will be missed. Never mind that the industry of late seems to be full of charlatans and ego’s that just don’t seem to be doing any greater good. This also applies to the organizations that offer certifications such as CEH/CISSP/ISACA etc.. There are just too many and not enough good ones.

The Infosec Industry: The Good, The Bad, & The LIGATT

So back to the lament about the industry. Just like any industry, one’s avocation can turn into a “vocation” as I said before. However, usually in the process of doing so, the love of it gets beaten down. Charlatans come out of the woodwork as well as the “music producer” types who just want to pimp anything for a buck. Its enough to make someone who really loves their job feel like just leaving it after you get the treatment from the clients as well as the one you get from the never ending stream of vendors and schlock.

What is one to do? Perhaps find a company that you can work for that does do things right (not IBM) or you go out on your own and start a company. Either way, you have to prepare yourself for the inevitable charlatan and vendor siege. If you can’t get past that, then you need to move on to something else. I say this because I can foresee no real way to change the business in a way that will be efficacious for “security” and never have its a contingent of greedy pseudo security wankers and clowns *cough* LIGATT.

It breaks down into these types though…

Some of us Just Want to Have It Done Right

Some of Us Just Want to Hack and Do Cool Shit

Some of us just want to Be Researchers

Some are just in it for the money

Some Are Just LIGATT

Just how can anyone wrangle all of this into a cogent business and legal model?

3 Responses

The best way I’ve found to deal with the lead balloon problem is not to talk tech – talk about the consequences instead. Like, “How do you think your customers would react if a news story broke that the bank was hacked and money was stolen by transferring it to a foreign country?” or “…if they found out their names, addresses and social security numbers were stolen?” or “If your server room burned down tomorrow, how long would it take for the bank to get its computers back up and running? Would you be able to share the restoration of services plan with me?” or “What if someone walked into the bank and was able to steal everyone’s user name and password?” i.e. Cleaners put physical keyloggers on all the computers. Put a keylogger in front of them and then ask, “Have you ever seen one of these before?”

Everyone in the computer security professions should have a back-up plan. I’m fortunate in that I’m a Swiss Army knife when it comes to tech (23 years in the biz), so I can and have done just about everything. The biggest challenges is staying current on knowledge and skills.

@MR
Thanks, yeah the whole point I am trying to get at overall with the posts is that a new method that is more holistic should be the way to go about an assessment. All too often I go to sites and the most basic of processes and policies are not in play. From that stance they have so many bad practices that allow for low hanging fruit attacks to completely compromise them.

In this model we need to also reach and teach the C levels about the security values of simple things and extend that to the technical means by which we have raped and pillaged their companies. Without a complete understanding they and import of what we are telling them, they will never really even try to change things. All too often though, you have to shock them into enlightenment with a big stick.

.. and yes, being a generalist is a good thing. You bring in the heavy hitters once the basics have been remediated.